Military theorists and statesmen, from Sun Tzu to von Clausewitz to Herman Kahn, have for centuries defined and redefined military strategy in varying ways, but they tend to agree that it involves an articulation of goals, means (broadly defined), limits (perhaps), and possibly sequencing. In short, military strategy is an integrated theory about what we want do and how, in general, we plan to do it. In part because Congress has required it, successive U.S. administrations have periodically published a National Security Strategy and a National Military Strategy for all the world to read. Within the military, the U.S. has many substrategies, such as a naval strategy, a counterinsurgency strategy, and a strategic nuclear strategy. The U.S. government has also publicly published strategies for dealing with issues wherein the military plays only a limited role, such as controlling illegal narcotics trafficking, countering terrorism, and stopping the proliferation of weapons of mass destruction. Oh yes, there is also that National Strategy to Secure Cyberspace dating back to 2003; but there is no publicly available cyber war strategy.
In the absence of a strategy for cyber war, we do not have an integrated theory about how to address key issues. To prove that, let’s play Twenty Questions and see if there are agreed-upon answers to some pretty obvious questions about how to conduct cyber war:
Didn’t do too well finding the answers anywhere in U.S. government documents, congressional hearings, or officials’ speeches? I didn’t, either. To be fair, these are not easy questions to answer, which is, no doubt, part of the reason they have not yet been knitted together into a strategy. As with much else, how one answers these and other questions will depend upon one’s experience and responsibilities, as well as the perspective that both create. Any general would like to be able to flip a switch and turn off the opposing force, especially if the same cannot be done to his forces in return. Modern generals know, however, that militaries are one of many instruments of the state, and the ultimate success of a military is now judged not just by what it does to the opponent, but by how well it protects and supports the rest of the state, including its underpinning economy. Military leaders and diplomats have also learned from past experiences that there is a fine line between prudent preparation to defend oneself and provocative activities that may actually increase the probability of conflict. Thus, crafting a cyber war strategy is not as obvious as simply embracing our newly discovered weapons, as the U.S. military did with nuclear weapons following Hiroshima.
It took a decade and a half after nuclear weapons were first used before a complex strategy for employing them, and, better yet, for not using them, was articulated and implemented. During those first years of the nuclear weapons era, accidental war almost occurred several times. The nuclear weapons strategy that eventually emerged reduced that risk significantly. Nuclear war strategy will be referenced a lot in this and the next chapter. The big differences between cyber war and nuclear war are obvious, but some of the concepts developed in the creation of nuclear war strategy have applicability to this new field. Others do not. Nonetheless, we can learn something about how a complex strategy for using new weapons can be developed by reviewing what went on in the 1950s and 1960s. And, where appropriate, we can borrow and adapt some of those concepts as we try to piece together a cyber war strategy.
THE ROLE OF DEFENSE IN OUR CYBER WAR STRATEGY
I asked at the beginning of this book: Are we better off in a world with cyber weapons and cyber war than in a theoretical world in which they never existed? The discussion in the ensuing chapters demonstrated, at least to me, that as things stand today the United States has gaping new vulnerabilities because others have cyber war capabilities. Indeed, because of its greater dependence on cyber-controlled systems and its inability thus far to create national cyber defenses, the United States is currently far more vulnerable to cyber war than Russia or China. The U.S. is more at risk from cyber war than are minor states like North Korea. We may even be at risk some day from nations or nonstate actors lacking cyber war capabilities, but who can hire teams of highly capable hackers.
Put aside for the moment the question of how it would start and consider a U.S.-Chinese cyber war as an example. We might have better offensive cyber weapons than others, but the fact that we might be able to turn off the Chinese air defense system will give most Americans limited comfort if in some future crisis the cyber warriors of the People’s Liberation Army have kept power off in most American cities for weeks, shut the financial markets by corrupting their data, and created food and parts shortages nationwide by scrambling the routing systems at major U.S. railroads. Although much of China is highly advanced, a lot of it is still far from dependent upon networks controlled in cyberspace. The Chinese government may also have to worry less about temporary inconveniences experienced by its citizens or the political acceptability of measures it might impose in an emergency.
Net/net, cyber war puts America at a disadvantage right now. Whatever we can do to “them,” chances are they can do more to us. We need to change that situation.
Unless we reduce our vulnerabilities to cyber attack, we will suffer from self-deterrence. Our knowing about what others could do to us may create a situation in which we are reluctant to use our superiority in other areas, like conventional weapons, in situations where it might be warranted for us to get involved. Other nations’ cyber weapons may deter us from acting, not just in cyberspace but in other ways as well. In future scenarios, like ones involving China and Taiwan, or China and the offshore oil dispute, will an American President really still have the option of sending carrier battle groups to prevent Chinese action? What President would order the Navy into the Taiwan Straits, as Clinton did in 1996, if he or she thought that a power blackout that had just hit Chicago was a signal and that blackouts could spread to every major American city if we got involved? Or maybe the data difficulties the Chicago Mercantile Exchange might have just experienced could happen to every major financial institution? Worse yet, what if the Chairman of the Joint Chiefs tells the President that he does not really know whether the Chinese can launch a damaging cyber attack that would leave the carrier battle group sitting helpless in the water? Would the President run the risk of deploying our naval superiority if trying to do so might only demonstrate that an opponent can shut down, blind, or confuse our forces?
The fact that our vital systems are so vulnerable to cyber war also increases crisis instability. As long as our economic and military systems are so obviously vulnerable to cyber war, they will tempt opponents to attack in a period of tensions. Opponents may think that they have an opportunity to reshape the political, economic, and military balance by demonstrating to the world what they can do to America. They may believe that the threat of even greater damage will appear credible and will prevent a U.S. response. Once they do launch a cyber attack, however, the U.S. leadership may feel compelled to respond. That response might not be limited to cyberspace, and the conflict could quickly escalate and get out of control.
These current circumstances argue for rapidly taking steps to reduce the strategic imbalance in which the U.S. is disadvantaged by the advent of cyber war capabilities. The answer is not to just add to our cyber offensive superiority. More U.S. cyber attack capability is unlikely to improve the imbalance or end the potential crisis instability. Unlike in conventional war, a superior offense cannot be certain to find and destroy all of the opponent’s offensive capability. The tools needed to cripple the U.S. may already be in the U.S. They may not even have entered America through cyberspace, where they might be discovered, but rather on CDs in diplomatic pouches, or in USB thumb drives in businessmen’s briefcases.
What is needed to reduce the risk that a nation-state will threaten to use cyber weapons against us in a crisis is for the U.S. to have a credible defense. We must cast so much doubt in the mind of the potential attacker that an attack will work against our defenses that they are he would be deterred from trying it. We want potential opponents to think that their cyber arrows might just bounce off our shields. Or at least they should think that enough of our key systems are sufficiently protected that the damage they can do to us will not be decisive. We are a long way from there today.
Defending the U.S. from cyber attacks should be the first goal of a cyber war strategy. After all, the primary purpose of any U.S. national security strategy is the defense of the United States. We do not develop weapons for the purpose of extending our hegemony over various domains (the seas, outer space, cyberspace), but as a way to safeguard the nation. While that seems simple enough, it gets complicated quickly because there are those who believe that the best way in which to defend is to attack and destroy the opponent before they can inflict damage on us.
When General Robert Elder was commander of the Air Force Cyberspace Command he told reporters that although his command has a defensive responsibility, it planned to disable an opponent’s computer networks. “We want to go in and knock them out in the first round,” he said. This is reminiscent of another Air Force general, Curtis LeMay, who in the 1950s, as commander of Strategic Air Command, explained to RAND Corporation analysts that his bombers would not be destroyed on the ground by a Soviet attack because “we’re going first.”
That kind of thinking is dangerous. If we do not have a credible defense strategy, we will be forced to escalate in a cyber conflict very quickly. We will need to be more aggressive in getting our adversary’s systems so that we can stop their attacks before they reach our undefended systems. That will be destabilizing, forcing us to treat potential adversaries as current ones. We will also need to take a stronger declaratory posture to try to deter attacks on our systems by threatening to “go kinetic” in response to a cyber attack, and it will be more likely that our adversaries will think they can call that bluff.
One reason that many U.S. cyber warriors think that the best defense is a good offense is their perception of how difficult it would be to defend only by protecting. The military sees how extensive the important targets are in America’s cyberspace and throws up its hands at the task of defending them all. Besides, they note (conveniently) that the U.S. military does not have the legal authority to defend privately owned and operated targets in the United States such as banks, power companies, railroads, and airlines.
This argument is the same one the Bush Administration made about Homeland Security after 9/11: that it would be too expensive to defend the U.S. against terrorists at home, so we needed to go to “the source.” That thinking has had us knee deep in two wars for the last decade at a cost projected to reach $2.4 trillion, and has already cost over 5,000 American lives.
It’s axiomatic that there is no single measure (or, as many in the Pentagon like to say, in a nod to the cowboy known as the Lone Ranger, no “silver bullet”) that could secure U.S. cyberspace. There may, however, be a handful of steps that would protect enough of the key assets, or at least throw doubt into the mind of a potential attacker, by making it very difficult to stage a successful large-scale cyber assault on America.
Protecting every computer in the U.S. from cyber attack is hopeless, but it may be possible to sufficiently harden the important networks that a nation-state attacker would target. We need to harden them enough that no attack could disable our military’s ability to respond or severely undermine our economy. Even if our defense is not perfect, these hardened networks may be able to survive sufficiently, or bounce back quickly enough, so that the damage done by an attack would not be crippling. If we can’t defend every major system, what do we protect? There are three key components to U.S. cyberspace that must be defended, or, to borrow another phrase from nuclear strategy, a “triad.”
THE DEFENSIVE TRIAD
Our Defensive Triad strategy would be a departure from what Clinton, Bush, and now Obama have done. Clinton in his National Plan and Bush in his National Strategy both sought to have every critical infrastructure defend itself from cyber attack. There were eventually eighteen industries identified as critical infrastructures, ranging from electric power and banking to food and retail. As previously noted, all three Presidents “eschewed regulation” as a means of reducing cyber vulnerabilities. Little happened. Bush, in the last of his eight years in office, approved an approach to cyber war that largely ignored the privately owned and operated infrastructures. It focused on defending government systems and on creating a military Cyber Command. Obama is implementing the Bush plan, including the military command, with little or no modification to date.
The Defensive Triad Strategy would use federal regulation as a major tool to create cyber security requirements, and it would, at least initially, focus defensive efforts on only three sectors.
First is the backbone. As noted in chapter 3, there are hundreds of Internet service provider companies, but only a half dozen or so large ISPs provide what is called the backbone of the Internet. They include AT&T, Verizon, Level 3, Qwest, and Sprint. These are the “trunks,” or Tier 1 ISPs, meaning that they can connect directly to most other ISPs in the country. These are the companies that own the “big pipes,” thousands of miles of fiber-optic cable running across the country, into every corner of the nation, and hooking up with undersea fiber-optic cables to connect to the world. Over 90 percent of Internet traffic in the U.S. moves on these Tier 1’s, and it is usually impossible to get to anyplace in the U.S. without traversing one of these backbone providers. So, if you protect the Tier 1’s, you are worrying about most of the Internet infrastructure in the U.S. and also other parts of cyberspace.
To attack most private-sector and government networks, you generally have to connect to them over the Internet and specifically, at some point, over the backbone. If you could catch the attack entering the backbone, you could stop it before it got to the network it was going to attack. If you did that, you would not have to worry as much about hardening tens of thousands of potential targets for cyber attack. Think about it this way: if you knew someone from New Jersey was going to drive a truck bomb into a building in Manhattan, you could defend every important building on the island (have fun getting agreement on which ones those would be), or you could inspect all trucks before they went on one of the fourteen bridges or into the four tunnels that connect to the island.
Inspecting all the Internet traffic about to enter the backbone theoretically poses two significant problems, one technical and one of policy. The technical problem is, simply, this: there is a lot of traffic and no one wants you slowing it down to look for malware or attack scripts. The policy problem is that no one wants you reading their e-mails or webpage requests.
The technical issue can be overcome with existing technology. As speeds increase, there could be difficulty scanning without introducing delay if the scanning technology failed to keep pace. Today, however, several companies have demonstrated hardware/software combinations that can scan what moves on the Internet, the small packets of ones and zeros that combine to make an e-mail or webpage. The scanning can be done so fast that it introduces no measurable delay in the packets’ speeding down the fiber-optic line. And it is not just the “to” and “from” lines on the packets, the so-called headers, that would be examined, but the data level, where the malware would be. This capability is described as “deep-packet inspection,” and the speed is called “line rate.” The absence of delay is called “no latency.” We can now do deep-packet inspection at a line rate with no latency. So the technical hurdle has been met, at least for now.
The policy problem can also be solved. We do not want the government or even an ISP reading our e-mails. The system of deep-packet inspection proposed here would be fully automated. It would not be looking for keywords, but only at the payload to see if there are predetermined patterns of ones and zeros that match up with known attack software. It’s looking for signatures. If it finds an attack, it could just “black hole” the packets, dump them into cyber oblivion, or it could quarantine them, put them aside for analysis. For Americans to be satisfied that such a deep-packet inspection system were not Big Brother spying on us, it would have to be run by the Tier 1 ISPs themselves and not by the government. Moreover, there would have to be rigorous oversight by an active Privacy and Civil Liberties Protection Board to ensure that neither the ISPs nor the government was illegally spying on us.
The idea of putting deep-packet inspection systems on the backbone does not create the risk of government spying on us. That risk already exists. As we saw with the illegal wiretapping in the Bush Administration, if the checks and balances in the system fail, the government can already improperly monitor citizens. That is a major concern and needs to be prevented by real oversight mechanisms and tough punishment for those who break the law. Our nation’s strong belief in privacy rights and civil liberties is not incompatible with what we need to do to defend our cyberspace. Giving guns to police does raise the possibility that some policemen may get involved in unjust shootings on rare occasions, but we recognize that we need armed police to defend us and we work hard at making sure that unjust shootings are prevented. So, too, we can deploy deep-packet inspection systems on Internet backbone ISPs, recognizing that we need them there to protect us, and we have to make sure that they do not get misused.
How would such a system get deployed? The deep-packet inspection systems would be placed where fiber-optic cables come up out of the ocean and enter the U.S., at “peering points,” where the Tier 1 ISPs connect to each other and the smaller networks, and at various other points on the Tier 1 networks. The government, perhaps Homeland Security, would probably have to pay for the systems, even though they would be run by the ISPs and maybe systems integrator companies. The signatures of the malware that the black box scanners would look for would come from Internet security companies such as Symantec and McAfee, which have elaborate global systems to look for malware. The ISPs and government agencies could also provide signatures.
The black box inspectors would have to be connected to each other on a closed network, what is called “out-of-band communications” (not on the Internet), so that they could be updated quickly and reliably even if the Internet were experiencing difficulties. Imagine that a new piece of attack software enters into cyberspace, one that no one has ever seen before. This “Zero Day” malware begins to cause a problem by attacking some sites. The deep-packet inspection system would be tied into Internet security companies, research centers, and government agencies that are looking for Zero Day attacks. Within minutes of the malware being seen, its signature would be flashed out to the scanners, which would start blocking it and would contain the attack.
A precursor to this kind of deep-packet inspection system is already being deployed. Verizon and AT&T can, at some locations, scan for signatures that they have identified, but they have been reluctant to “black hole” (or kill) malicious traffic because of the risk that they might be sued by customers whose service is interrupted. The carriers would probably win any such suit because their service-level agreements (SLAs) with their customers usually state that they have the right to deny service if the customer’s activity is illegal or disruptive to the network. Nonetheless, because of the typical abundance of caution from their lawyers, the companies are doing less than they could to secure cyberspace. Legislation or regulation is probably needed to clarify the issue.
The Department of Homeland Security’s “Einstein” system, discussed in chapter 4, has been installed at some of the locations where government departments connect to the Tier 1 ISPs. Einstein only monitors government networks. The Defense Department has a similar system at the sixteen locations where the unclassified DoD intranet connects to the public Internet.
A more advanced system, with higher speed capacity, more memory and processing capabilities, and out-of-band connectivity, could help to minimize or deter a large-scale cyber attack if it were broadly deployed to protect not just the government, but the backbone on which all networks rely. By defending the backbone in this way, we should be able to stop most attacks against our key government and private-sector systems. The independent Federal Communications Commission has the authority today to issue regulations requiring the Tier 1 ISPs to establish such a protective system. The Tier 1’s could pass along the costs to their customers and to smaller ISPs that peer with them. Alternatively, Congress could appropriate funds for some or all of the system. So far, the government is only beginning to move in this direction, and then only to protect itself, not the private-sector networks on which our economy, government, and national security rely.
ISPs should also be required to do more to keep our nation’s portion of the cyber ecosystem clean. Ed Amoroso, the chief security officer at AT&T, told me that his security operations center watches as computers that have been taken over by a botnet spew out DDOS and spam. They know what subscribers are infected, but they don’t dare inform the customer (much less cut off access) out of fear that customers would switch providers and try to sue them for violating their privacy. That equation needs to be stood on its head. ISPs should be required to inform customers of the network when data shows that their computers have been made part of a botnet. ISPs should be required to shut off access if customers do not respond after being notified. They should also be required to provide free antivirus software to their subscribers, as many now do because it helps them manage their bandwidth better; and subscribers should be required to use it (or whatever antivirus software they choose). We don’t let car manufacturers sell cars without seat belts, and in most states we don’t let people drive cars unless they are wearing them. The same logic should apply on the Internet, because poor computer security by an individual creates a national security problem for us all.
In addition to the Tier 1 carriers screening Internet traffic at packet level for known malware, blocking those packets that match previously identified attacks, related steps could be added to strengthen the system. First, with relatively little investment of money and time, software could be developed to identify “morphed malware.” The software would look for slight variations in known attack signatures, changes that attackers might use in attempts to slip by the deep packet inspection of previously identified hacks. Second, in addition to having the Tier 1 ISPs looking for malware, government and large, regulated commercial institutions such as banks would also contract with hosting and data centers to do deep-packet inspection. At a handful of large hosting data centers scattered around the country, the fibers of Tier 1 ISPs come together to do switching among the networks. At these locations, some large institutions also have their own servers locked behind fencing in row upon row of blinking equipment or stashed in highly secured rooms. The operators of these centers can screen for known malware as a second level of defense. Moreover, the data center operators or IT security firms can also look at data after it has passed by. The data centers can provide managed security services, looking for anomalous activity that might be caused by previously unidentified malware. Unlike the attempts to block known malware as it comes in, the managed security services would look for patterns of suspicious behavior and anomalous activity of data packets over time. By doing that, they may be able to spot more complicated two-step attacks and new Zero Day malware. That new malware would then be added to the list of things to be blocked. Searches could be performed for locations in the data banks where the new malware had gone, perhaps allowing the system to stop large-scale exfiltration of data.
By paying the ISPs and managed security service providers to do this sort of data screening, the government would remain sufficiently removed from the process to protect privacy and to encourage competition. The government’s role, in addition to paying for the defenses, would be to provide its own information about malware (locked up in a black box if necessary), incentivize firms to discover attacks, and create a mechanism to allow the public to confirm that privacy information and civil liberties are well protected. Unlike a single line of defense owned and operated by the government (such as the “Einstein” system being created by the Department of Homeland Security to protect civilian federal agencies), this would be a multilayer, multiple-provider system that would encourage innovation and competition among private sector IT companies. If the government was aware that a cyber war was about to break out, or if one already had, a series of federal network operation centers could interact with these private IT defenders and with the network operation centers (NOCs) of key privately owned institutions to coordinate a defense. For that to happen, the government would have to create in advance a dedicated communications network among the NOCs, one that was highly secure, entirely separated, and in other ways different from the Internet. (The fact that such a new network would be needed should tell you something about the Internet.)
The second prong of a Defensive Triad is a secure power grid. The simplest way to think about this idea is to ask, as some have, why the hell is the power grid connected to cyberspace at all, anyway? Without electricity, most other things we rely on do not work, or at least not for long. The easiest thing a nation-state cyber attacker could do today to have a major impact on the U.S. would be to shut down sections of the Eastern or Western Interconnects, the two big grids that cover the U.S. and Canada. (Texas has its own, third, grid). Backup power systems are limited in duration and notorious for not coming on when needed (as happened at my house last night when a lightning storm hit the rural power net, creating a localized blackout. My automatic starting generator sat there like an oversized door stop). Could those three North American power-sharing systems, composed of hundreds of generation and transmission companies, be secured?
Yes, but not without additional federal regulation. That regulation would be focused on disconnecting the control network for the power generation and distribution companies from the Internet and then making access to those networks require authentication. It would really not be all that expensive, but try telling that to the power companies. When asked what assets of theirs were critical and should be covered by cyber security regulations, the industry replied that 95 percent of their assets should be left unregulated with regard to cyber security. One cyber security expert who works with the major cyber security auditing firms said he asked each audit firm that had worked with power companies if they had been able in their audits to get to the power grid controls from the Internet. All six firms said they had. How long did it take them? None had taken longer than an hour. That hour was spent hacking into the company’s public website, then from there into the company’s intranet, then through “the bridge” they all have to their control systems. Some audits cut the time by hacking into the Internet-based phones (voice over Internet protocol, or VOIP, phones) that were sitting in the control rooms. These phones are by definition connected to the Internet; that’s how they connect to the telephone network. If they are in the control room, they are also probably connected to the network that runs the power system. Good thinking, huh? Oh, it gets better. In some places the commands to electrical grid components are sent in the clear (that is, unencrypted) via radio, including microwave. Just sit nearby, transmit on the same frequency with more energy in your signal than the power company is using, and you are giving the commands (if you know what the command software looks like).
The Federal Energy Regulatory Commission (FERC) promises that in 2010 it really will start penalizing power companies that do not have secure cyber systems. What they have not said is how the Commission will know who is in violation, since the FERC doesn’t have the staff to regularly inspect. The U.S. Department of Energy, however, has hired two cyber security experts to determine if the $3.4 billion in Smart Grid grants are going to new programs that are adequately secured. Smart Grid is the Obama Administration’s idea to make the power grid even more integrated and digitized. Power companies can ask for some of that money by submitting proposals to the Energy Department. When they do, the two experts will read the proposals to see if there is a section somewhere that says “cyber security.” The Energy Department refuses to say who the two experts are or what they will be looking for in the “cyber security” section of the grant proposal. There are no publicly available standards. One idea for a standard might be that the taxpayers don’t give any of the $3.4 billion in Smart Grid money to companies that haven’t secured their current systems. Don’t expect the Energy Department to use that standard anytime soon, because that would mean taking advantage of this unique federal giveaway program to incentivize people to make things more secure. That smacks of regulation, which, of course, is just like socialism, which is un-American. So, we will soon have a more digital Smart Grid, which will also be a Less Secure Grid. How could we make the U.S. national electrical system a Smart and Secure Grid?
The first step in that direction would be issuing and enforcing serious regulations to require electric companies to make it next to impossible to obtain unauthorized access to the control network for the power grid. That would mean no pathway at all from the Internet to the control system. In addition, the same kind of deep-packet inspection boxes I proposed placing on the Internet backbone could be placed on the points where the control systems link to the power companies’ intranets. Then, just to make things even harder for an attacking cyber warrior, we could require that the actual control signals sent to generators, transformers, and other key components be both encrypted and authenticated. Encrypting the signals would mean that even if you could hack your way in and try to give an instruction to a generator, you would not have the secret code to do so. Authenticating the commands would mean that through a proof of identity procedure, or electronic “handshake,” the generator or transformer would know for sure that the command signal it was getting was coming from the right place. Because some parts of the grid might still be taken over by a nation-state hacker, certain key sections should have a backup communication system for sending command and control signals so that they could restore service.
Many people dismiss the significance of an attack on the power grid. As one senior U.S. government official said to me, “Power blackouts take place all the time. After a few hours, the lights come back.” Maybe not. The power comes back after a few hours when what has caused it to fail is a lightning storm. If the failure is the result of intentional activity, it will likely be a much longer blackout. In what is known as the “Repeated Smackdown Scenario,” cyber attacks take down the power grid, and keep it down for months.
If the attacks destroy generators, as in the Aurora tests, replacing them can take up to six months, because each must be custom built. Having an attack take place in many locations simultaneously, and then happen again when the grid comes back up, could cripple the economy by halting the distribution of food and other consumer goods, shutting down factories, and forcing the closure of financial markets.
Do we really need improved regulation? Should we force power companies to spend more to secure their networks? Is the need real? Let’s ask the head of U.S. Cyber Command, General Keith Alexander, the man whose cyber warriors would attack other nations’ electric grids. Knowing what he knows he can do to others, does the General think we need to do more to protect our own power grid? That’s essentially what he was asked in a congressional hearing in 2009. He replied, “So the power companies are going to have to go out and change the configuration of their networks…. [T]o upgrade their networks to make sure they are secure is a jump in cost for them…. And now you’re going to have to work through their regulatory committees to get the rate increases so that they can actually secure their networks…. [H]ow does government, because we’re interested in perhaps having reliable power, how do we ensure that that happens as a critical infrastructure?” It was a little rambling, but General Alexander seemed to be saying that power companies need to reconfigure so we can have secure, reliable electricity, that this may mean they have to spend more, and that the regulatory organizations will have to help make that happen. He’s right.
The third prong of the Defensive Triad is Defense itself, as in the Department of Defense. There is little chance that a nation-state would stage a major cyber attack against the U.S. without trying to cripple DoD in the process. Why? While a nation-state actor might try to cripple our country and our will by destroying private-sector systems like the power grid, pipelines, transportation, or banking, it is hard to imagine such actions coming as a bolt from the blue. Cyber attacks would only likely come in a period of heightened tensions between the U.S. and the attacker nation. In such an atmosphere, the attacker would probably already fear the possibility of conventional, or kinetic, action by the U.S. military. Moreover, if an opponent were going to hit us with a large cyber attack, they would have to assume that we might respond kinetically. A cyber attack on the U.S. military would likely concentrate on DoD’s networks.
For simplicity, let’s say that there are basically three DoD networks. The first, NIPRNET, is the unclassified intranet. Systems on that network use the dot-mil addresses. The NIPRNET connects to the public Internet at sixteen nodes. While it is unclassified data that moves on NIPRNET, unclassified does not mean unimportant. Most logistical information, like supplying Army units with food, is on the NIPRNET. Most U.S. military units cannot sustain themselves for long without support from private-sector companies, and most of that communication goes through the NIPRNET.
The second DoD network is called SIPRNET and is used to pass secret-level classified information. Many military orders are transmitted over the SIPRNET. There is supposed to be an “air gap” between the unclassified and secret-level networks. Users of the classified network download things from the Internet and upload them to the SIPRNET, thus sometimes passing malware along unknowingly. Pentagon information security specialists call this problem the “sneakernet threat.”
In November 2008, a Russian-origin piece of spyware began looking around cyberspace for dot-mil addresses, the unclassified NIPRNET. Once the spyware hacked its way into NIPRNET computers, it began looking for thumb drives and downloaded itself onto them. Then the “sneakernet effect” kicked in. Some of those thumb drives were then inserted by their users into classified computers on the SIPRNET. So much for the air gap. Because the secret network is not supposed to be connected to the Internet, it is not supposed to get viruses or worms. Therefore, most of the computers on the network had no antivirus protection, no desktop firewalls or similar security software. In short, computers on DoD’s most important network had less protection than you probably have on your home computer.
Within hours, the spyware had infected thousands of secret-level U.S. military computers in Afghanistan, Iraq, Qatar, and elsewhere in the Central Command. Within a few more hours, the highest-ranking U.S. military officer, Admiral Mike Mullen, the Chairman of the Joint Chiefs of Staff, was realizing how vulnerable his military really was. According to a high-ranking Pentagon source, Mullen screamed, “You mean to tell me that I can’t rely on our operational network?” at the network specialists briefing him. The network experts on the Joint Staff acknowledged the Admiral’s conclusion. They did not seem surprised; hadn’t he known that already? Horrified at a huge weakness that Majors and Captains seemed to take for granted, but which had been kept from him, Mullen looked around for a senior officer. “Where’s the J-3?” he demanded, looking for the Director of Operations. “Does he know this?”
Shortly thereafter, Mullen and his boss, Secretary of Defense Robert Gates, were explaining their discovery to President Bush. The SIPRNET was probably compromised. The netcentric advantage the U.S. military thought it enjoyed might just prove to be its Achilles’ heel. Perhaps Mullen should not have been surprised. There are over 100,000 SIPRNET terminals around the world. If you can get time alone with one terminal for a few minutes, you can upload malware or run a covert connection to the Internet. One friend of mine described a SIPRNET terminal in the Balkans that a Russian “peacekeeper” could easily get to without being observed. Just as in World War II, when the Allies needed only one German Enigma code machine in order to break the Nazis’ encryption, so, too, if one SIPRNET terminal is compromised, can malware be inserted that could affect the entire network. Several experts who worked on SIPRNET security-related issues confirmed to me the scary conclusion. As one said, “You got to assume that it’s not going to work when we need it.” He explained that if, in a crisis, that command and control network were brought down by an enemy, or, worse, if the enemy issued bogus commands, “the U.S. military would be severely disadvantaged.” That’s putting it mildly.
The third major DoD network is the Top Secret/Sensitive Compartmented Information (TS/SCI) network called JWICS. This more limited network is designed to pass along intelligence information to the military. Its terminals are in special highly secured rooms known as Secret Compartmentalized Information Facilities, or SCIFs. People also refer to those rooms as “the vault.” Access to these terminals is more restricted because of their location, but the information flowing on the network still has to go across fiber-optic cables and through routers and servers, just as with any other network. Routers can be attacked to cut communications. The hardware used in computers, servers, routers, and switches can all be compromised at the point of manufacture or later on. Therefore, we cannot assume that even this network is reliable.
Under the CNCI plan, DoD is embarked on an extensive program to upgrade security on all three kinds of networks. Some of what is being done is classified, much of it is expensive, and some of it will take a long time. A real possibility is the use of high-bandwidth lasers to carry communications to and from satellites. Assuming the satellites were secure from hacking, such a system would reduce the vulnerabilities associated with fiber-optic cable and routers strung out around the world. There are, however, a few important design concepts using currently available technology that should be included in the DoD upgrade program quickly, and they are not budget busters:
Even if its networks are secure, DoD runs the risk that the software and/or hardware it has running its weapons systems may be compromised. We know the plans for the new F-35 fighter were stolen by hack into a defense contractor. What if the hacker also added to the plans, perhaps a hidden program that causes the aircraft to malfunction in the air when it receives a certain command that could be radioed in from an enemy fighter? Logic bombs like that can be hidden in the millions of lines of code on the F-35, or in the many pieces of firmware and computer hardware that run the aircraft. As one pilot told me, “Aircraft these days, whether it’s the F-22 Raptor or the Boeing 787…all they are is a bunch of software that happens to be flying through the air. Mess with the software and it stops flying through the air.” I thought of the Air France Airbus that crashed in the South Atlantic because its computer made a wrong decision.
The computer chips U.S. weapons use, as well as some of the computers or their components, are made in other countries. DoD’s most ubiquitous operating system is Microsoft Windows, which is developed around the world on development networks that have proven vulnerable in the past. This supply-chain concern is not easily or quickly solved. It is one of the areas that the 2008 Bush plan focused on. New chip factories, or fabs, are being built in the U.S. Some private-sector companies are developing software to check other software for bugs. In addition to adding quickly to the security of its networks, one of the most important things the Pentagon could do would be to develop a rigorous standards, inspection, and research program to ensure that the software and hardware being used in key weapons systems, in command control, and in logistics are not laced with trapdoors or logic bombs.
So that’s the Defensive Triad strategy. If the Obama Administration and the Congress were to agree to harden the Internet backbone, separate and secure the controls for the power grid, and vigorously pursue security upgrades for Defense IT systems, we could cast doubt in the minds of potential nation-state attackers about how well they would do in launching a large-scale attack against us. And even if they did attack, the Defensive Triad could mitigate the effects. It is admittedly difficult to measure the financial cost of these programs at this point in their development, but in terms of implementation difficulty, they could all be phased in over five years. If implemented with the thought in mind that we want to be able to derive some benefit from the improvements even before they are fully deployed, there could be a steady increase over those five years in the degree of difficulty for a nation-state thinking about cyber war against us. Unless and until this plan or some similar defensive strategy that includes the private-sector networks is implemented, being in a cyber war would probably not be good news for the United States.
If we do the Defensive Triad, we will have the credibility to say some things that will add further to our ability to deter cyber attack. Sometimes just saying things, things that do not always cost money, can buy you added security, if you have credibility. The capstone of the triad is our “declaratory posture” toward those nation-states that would think about attacking us through cyberspace. A declaratory posture is a formally articulated statement of the policy and intention of the government. We do not have an authoritatively articulated policy today about how we would regard a cyber attack and what we would do in response. Some in the councils of a potential attacker could argue that the U.S. response to a cyber attack might be fairly minimal, or confused.
We do not want to be in a situation similar to what John Kennedy found himself in after he discovered that there were nuclear-armed missiles in Cuba. He declared that any such missile fired by anyone (Russian or Cuban) from Cuba toward “any nation in this hemisphere would be regarded as an attack, by the Soviet Union, upon the United States, requiring a full retaliatory response.” Those words were chilling when I first heard them as a twelve-year-old; they remain so today. If the U.S. had said that before the missiles went to Cuba, the Kremlin might not have sent them.
A public declaration about what we would do in case of a cyber attack should, however, not limit future decisions. There needs to be a certain “constructive ambiguity” in what is said. In the event of a major cyber attack, there will likely be an unhelpful ambiguity about who attacked us, and our declaratory policy needs to take that into account as well. Imagine, then, Barack Obama addressing the graduating class of one of the four U.S. military academies, something he will do four times in his first term in office. He looks out on the sea of uniformed new officers and their parents, describes the phenomenon of cyber war, and then says: “So let me make this clear to any nation that may contemplate using cyber weapons against us. The United States will regard a cyber attack that disrupts or damages our military, our government, or our critical infrastructure as we would a kinetic attack that had the same target and the same effect. We would consider it a hostile act in our territory. In response to such aggression in our cyberspace, I, as Commander in Chief, will draw upon the full panoply of power available to the United States of America and will not be limited as to the size or nature of our response by those characteristics of the attack upon us.”
“Panoply of power” is a presidential phrase. It says he may respond with diplomatic, economic, cybernetic, or kinetic means, as he chooses and as appropriate, taking into account the target and the effect. International lawyers will quibble about the “not be limited” line, noting that defensive responses are supposed by international law conventions to be commensurate with the attack. Suggesting the response might be incommensurate, however, adds to deterrence. In nuclear strategy this idea was called “escalation dominance”—responding to a lower-level attack by moving rapidly up the escalation ladder and then saying that the hostilities must end. It sends the message that you are not willing to engage in some prolonged, slow-bleeding conflict. It is an option that the President must have, whether or not he uses it.
What if, as is likely, the attribution problem occurs and the attacker hides behind the skirts of “citizen hacktivists” or claims the attack merely transited their country, but did not originate there? Anticipating this claim in advance, Obama pauses in his address and then adds, “Nor will we be fooled by claims that a cyber attack was the work of citizen hacktivists or that attribution is uncertain. We have the capability to determine attribution to the degree necessary. Moreover, we reserve the right to consider a refusal to stop, in a timely manner, an attack emanating from a country as the equivalent of the government of that country engaging in the attack. We will also judge a lack of serious cooperation in investigations of attacks as the equivalent of participation in the attack.”
The Obama Doctrine would be one of cyber equivalency, in which cyber attacks are to be judged by their effects, not their means. They would be judged as if they were kinetic attacks, and may be responded to by kinetic attacks, or other means. The corollary is that nations have a national cyberspace accountability and an obligation to assist, meaning that they would have a responsibility to prevent hostile action coming from servers in their country and must promptly hunt down, shut off, and bring to justice those who use their cyberspace to disrupt or damage systems elsewhere. America would also have these obligations and would have to shut off botnets attacking nations like Georgia from places like Brooklyn. If the Tier 1 ISPs were scanning their networks, the obligation to assist would be fairly easy to carry out.
Were Obama or a future President to articulate such a doctrine, the United States would have made clear that it regarded cyber attacks that disrupt or damage things not as a lesser, more permissible form of national action just because they may not result in colorful explosions or in piles of body bags. If the President also adopted something like the Defensive Triad, the U.S. would finally have a credible cyber war defensive strategy.
So, once we have reasonable defenses in place, would we then be able to go on the offensive, using our new cyber warriors to achieve military dominance of cyberspace for the United States of America?